Proposal: Security Assessment from Team Atlanta (DARPA AIxCC)

[occia]

Hi prestodb developers,

We (LeeSinLiang, and Cen Zhang, and a lot of our team members) are Team Atlanta from Georgia Institute of Technology, winners of DARPA's AI Cyber Challenge (AIxCC). We're reaching out to propose a security assessment collaboration with your project. This effort is recommended by DARPA's initiative to apply competition technologies to real-world open source projects.

Background

We have built an AI-enhanced CRS (Cyber Reasoning System) for automatic vulnerability detection and repair.

• AIxCC Competition: https://aicyberchallenge.com/
• Our Team: https://team-atlanta.github.io/

What we plan to provide

• OSS-Fuzz Integration:
  • If your project isn't yet supported by OSS-Fuzz, we'll develop compatible fuzzing harnesses to enable its integration. This can make our system applicable to your project.
• Security Assessment:
  • We'll run assessments locally on our infrastructure (no changes/efforts from your side) to identify potential vulnerabilities and synthesize corresponding patches.
• Detailed Reports:
  • For any findings, we'll provide reports including: 1) identified vulnerabilities and explanations, 2) the proof-of-concept (PoC) to trigger those vulnerabilities, and 3) corresponding patches.
• Responsible Disclosure:
  • We'll follow your preferred reporting channels (private email, OSS-Fuzz bug report system, or whatever channel you prefer) and coordinate disclosure timelines with your team. Note that all findings will be further manually validated by our researchers before reporting to ensure quality and accuracy.

What we need

A brief acknowledgment confirming your willingness to collaborate. This will serve as approval for our assessment plans.

Looking forward to your response and please let me know for any further issues/concerns!

[tdcmeehan]

We welcome this initiative, and are looking forward to collaborating to improve the security of Presto. Please note we have not established a preferred reporting channel, but will soon, and this will be documented in SECURITY.md.

[occia]

thanks!